The Best of Firewall Management – Enabling “Smart Firewalls”

“Smart Cities” are growing in popularity with their ability to monitor traffic behavior and resource usage and adapt accordingly. Similarly, “Smart Firewalls,” enabled by Security Manager’s enhanced TFA feature, can collect data tied to the source, destination, service and even application in order to help firewall administrators modify or restrict access. Jody Brazil explains the advancements in Version 8 that make this possible.

TFA is a powerful feature for analyzing network traffic patterns. You could use the physical analogy to cars on streets. A traffic monitoring system could be set up at an intersection to evaluate exactly how many cars flow through the intersection, which directions (special attention to cars turning at the intersection) and what time of day. As a result, you can define new “rules” of the traffic control system (stop lights) to efficiently move cars through an intersection.

Similarly, TFA monitors traffic through a firewall rule. Instead of allowing all traffic to traverse in all directions, it monitors the empirical behaviors on the network and informs an administrator of the rules they can create to restrict access to only what is necessary.

In Version 8, we have dramatically improved this behavior. One significant advancement was the support for applications, which we covered last time. Continuing my traffic analogy, you could think of applications as another data point – for example, distinguishing between types of vehicles and understanding that truck traffic requires different rules than cars.

We’ve also enhanced TFA in version 8 by expanding how data is collected. Previously, TFA only allowed a user to collect data on a specific firewall rule. In Version 8, you can collect it across an entire firewall using any combination of source, destination, service or application as filters to the data collection.

Again, using the street traffic analogy, we can now map the flow of traffic between any two points in a city or traffic of any types of vehicles, regardless of which intersection they move through. The scope of the analysis is now massive. Imagine sensors at every single intersection in your daily commute. In today’s parlance, we think of this as a “Smart City.” Using that same naming convention, FireMon enables “Smart Firewalls.”

For example, say you were asked to evaluate all the traffic that is allowed into a PCI zone in your network. You could enable TFA on the firewall that protects the PCI zone in order to monitor all traffic destined to networks in the PCI zone. Regardless of which rule is permitting the traffic, you can get a picture of exactly which hosts are communicating to servers in the PCI zone using which services (HTTP, SMTP, FTP, etc.).

Finally, in Version 8, we dramatically improved the performance of TFA. Large datasets used to make generating a TFA report a VERY time consuming and system-intensive operation. With the capacity to collect greater amounts of data, it was critical that we improve the performance of the analysis. The results are stunning. TFA now returns results that used to take minutes in mere seconds. And while it is still possible to generate enough data to make the report take longer than seconds to run, it is still an amazingly fast process for the complexity of the analysis.